A lightweight utility for programmatically reading and manipulating Zeek (Bro) NSM log files and outputting into JSON or CSV format. This library works on both Python 2 and Python 3.
The following example first loads records from the Zeek connection log named conn.log. The data is the written out to a file named out.json. The name of the log file to read must be provided when creating the ParseBroLog class. You can use the safe_headers=True option in the to_json method to replace all instances of a dot with an underscore.
from parsezeeklogs import ParseZeekLogs
with open('out.json',"w") as outfile:
for log_record in ParseZeekLogs("conn.log", output_format="json", safe_headers=False):
if log_record is not None:
outfile.write(log_record + "\n")This is another example that instead uses the csv output method to write the data out to a file named out.csv. This example shows filtering on specific fields within the log file. Field names should be provided as list elements.
from parsezeeklogs import ParseZeekLogs
with open('out.csv',"w") as outfile:
for log_record in ParseZeekLogs("conn.log", output_format="csv", safe_headers=False, fields=["ts","id.orig_h","id.orig_p","id.resp_h","id.resp_p"]):
if log_record is not None:
outfile.write(log_record + "\n")- @geekscrapy: For bug fixes and the safe header feature addition